On mySimon: Meguiar's Gold Class Premium Car Wax
BNET Business Network:
BNET
TechRepublic
ZDNet

July 10th, 2007

Microsoft drops 6 bulletins, fixing 11 vulnerabilities

Posted by Ryan Naraine @ 11:53 am

Categories: Botnets, Browsers, Data theft, Exploit code, Firefox, Google, Hackers, Metasploit, Microsoft, Open source, Oracle, Passwords, Patch Watch, Pen testing, Privacy, Responsible disclosure, Spam and Phishing, Symantec, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Attacker, Vulnerability, Microsoft Windows, Microsoft Corp., Bulletin, Microsoft, Information Disclosure, Ryan Naraine

Microsoft’s Patch Tuesday train arrived today with six bulletins covering at least 11 vulnerabilities, most carrying the company’s highest severity rating.

Microsoft OfficeAs previously reported, four three of the six bulletins are rated “critical. These cover code execution holes in Microsoft Excel, Windows Active Directory and the .Net Framework.

The two three other bulletins deal with a “moderate” information disclosure flaw in the Vista Firewall, and two”important” issues affecting IIS 5.1 on Windows XP SP2 and Microsoft Office Publisher 2007.

The July Patch Tuesday cheat-sheet:

MS07-036 – Covers three different vulnerabilities in Microsoft Excel that could lead to complete PC takeover attacks. One of the three bugs was publicly disclosed before this patch release. These flaws affect the latest 2007 Microsoft Office System but the severity is downgraded for this version because of defense-in-depth mitigations built into the product.

MS07-037 — This covers a remote code execution hole in Microsoft Office Publisher 2007. An attacker could exploit the vulnerability by constructing a specially crafted Publisher (.pub) page. When a user views the .pub page, the vulnerability could allow remote code execution. Rated “important,” it was discovered by researchers at eEye Digital Security in February, meaning that it took Microsoft about six months to deliver a fix. eEye reckons this patch is 73 days overdue.

[ ALSO SEE: Skeletons in Microsoft's Patch Day closet ]

MS07-038 — This is the only patch in this month’s batch that affects Windows Vista. It is an information disclosure issue in Windows Vista that could allow a remote anonymous attacker to send inbound network traffic to the affected system. It would be possible for the attacker to gain information about the system over the network. The bug was privately reported to Microsoft by Jim Hoagland and Ollie Whitehouse of Symantec.

MS07-039 — Covers a pair of “critical” vulnerabilities in implementations of Active Directory on Windows 2000 Server and Windows Server 2003 that could allow remote code execution or a denial of service condition.

MS07-040 — This update fixes at least three vulnerabilities in the .Net Framework. Microsoft says two of these bugs could allow remote code execution on client systems with .NET Framework installed, and one could allow information disclosure on Web servers running ASP.NET. One of these flaws was “partially disclosed” at the recent SyScan conference in Singapore and there were rumblings that Microsoft kept pushing off patching this issue for several months. Keep your eyes on Security-Assessment for more on this.

MS07-041 — Contains a patch for an “important” remote code execution vulnerability in Microsoft Internet Information Services (IIS). An attacker could send specially crafted URL requests to a Web page hosted by Internet Information Services (IIS) 5.1 on Windows XP Professional Service Pack 2 to take complete control of an affected system. IIS 5.1 is not part of a default install of Windows XP Professional Service Pack 2.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 107 Talkback(s)
delete
go into control panel and get to add/remove take out anything from .net 2.0 and reload it and then down load the security fir .net 2.0... (Read the rest)
Posted by: jj183@... Posted on: 07/13/07 You are currently: a Guest | | Terms of Use
Vista is once again vindicated  NonZealot | 07/10/07
Or, maybe...  Ryan NaraineZDNet Moderator | 07/10/07
And maybe pigs are flying too.  ye | 07/10/07
0day shelf life  Ryan NaraineZDNet Moderator | 07/10/07
Sorry, I need something more than this.  ye | 07/10/07
Again prove what you are saying is fact YE .  Intellihence | 07/10/07
Why are you even in here?  fr0thy2. | 07/11/07
re:Why are you even in here?  I'm Ye, the MS SHILL . | 07/11/07
Message has been deleted.  evilkillerwhale@... | 07/11/07
Evil: You have me confused.  ye | 07/11/07
I see...  Rick_K | 07/10/07
Again no facts, just rhetoric.  ye | 07/11/07
heh...  evilkillerwhale@... | 07/11/07
Proof  TripleII | 07/10/07
This old unproven rumor again?  ye | 07/10/07
Why is it a rumor?  TripleII | 07/10/07
Don't know as I haven't research it. However...  ye | 07/10/07
Don't waste your time Triplell, Zealot & Ye are in denial .  Intellihence | 07/10/07
Leopard needs to just bug out...he's in denial as well.  fr0thy2. | 07/11/07
re:Leopard needs to just bug out...he's in denial as well.  I'm Ye, the MS SHILL . | 07/11/07
well...  evilkillerwhale@... | 07/11/07
Zune was never supposed to be an iPod killer genius...  evilkillerwhale@... | 07/11/07
and...  evilkillerwhale@... | 07/11/07
The same can be said of your assertions .  Intellihence | 07/10/07
and very hot nauseating and envious air from you! (nt)  fr0thy2. | 07/11/07
well...  evilkillerwhale@... | 07/11/07
Who the heck are you and from what rock did you crawl out from .  Non_Zealot | 07/11/07
Verifiable Facts about the value of bugs  Bozzer | 07/12/07
When you see pigs flying  Ole Man | 07/12/07
Ahhh yess, you must just feel so vindicated  Kid Icarus-21097050858087920245213802267493 | 07/10/07
Ah, the secret fix conspiracy from the self appointed security gurus.  osreinstall | 07/10/07
poor analogy....  jjarman | 07/11/07
Not at all.  osreinstall | 07/11/07
"Read the EULA"  Ole Man | 07/12/07
That's right. Unless you can't read.  osreinstall | 07/12/07
Agreed. The last argument for the ABMers is gone.  ye | 07/10/07
Lol, one argument is gone  TripleII | 07/10/07
No exploits so far!  ye | 07/10/07
No exploits?  TripleII | 07/10/07
Where?  ye | 07/10/07
Disingenous  TripleII | 07/10/07
Note that I said EXPLOITS. You pointed to vulnerabilities.  ye | 07/10/07
Computer Hell  brian ansorge | 07/10/07
One mans opinion.  ye | 07/10/07
Hehe, Mac zealots are funny!!  NonZealot | 07/10/07
Couldn't have said it better myself.  ye | 07/10/07
They are funny and the king hyena is leopard (nt)  fr0thy2. | 07/11/07
ROTFLMAO !!! You and Zealot above have continuously claimed  Intellihence | 07/10/07
I don't think so...not an OS out there that's perfect.  fr0thy2. | 07/11/07
Who is talking to you kid !  I'm Ye, the MS SHILL . | 07/11/07
nice, but truely idiotic  Monkey_MCSE | 07/10/07
They are clueless  ye | 07/10/07
Exactly...  jasonp@... | 07/12/07
Vista SP1 is coming out right on the ....  ShadeTree | 07/10/07
Subtlety  TripleII | 07/10/07
This is a blog about security.  ye | 07/10/07
Message has been deleted.  I'm Ye, the MS SHILL . | 07/10/07
Note I said SECURITY and not WINDOWS SECURITY.  ye | 07/10/07
You still haven't answered as to why you brought  I'm Ye, the MS SHILL . | 07/10/07
I don't have to explain away your strawman.  ye | 07/11/07
re:This is a blog about security.  I'm Ye, the MS SHILL . | 07/11/07
Again: I don't have to explain away your strawman.  ye | 07/11/07
Ye he has you beat .  Non_Zealot | 07/11/07
Microsoft has made no official ....  ShadeTree | 07/11/07
My turn  Chad_z | 07/11/07
But it's the only desktop version of windows subject to the .NET exploit!  Resuna | 07/11/07
Mac Zealots . . . [rolling eyes]  brian ansorge | 07/10/07
2 of the 3 "critical" are only critical on 7-year-old software  PB_z | 07/10/07
Thanks MS...  jasonp@... | 07/11/07
I too thank MS!  ye | 07/11/07
Go Microsoft go !  I'm Ye, the MS SHILL . | 07/11/07
LOL! You thought I was serious?!?!?  ye | 07/11/07
I thought we were supposed to be in the logic business...  jasonp@... | 07/11/07
Re-read what I wrote.  ye | 07/11/07
WOW , is that your take on Microsoft .  Non_Zealot | 07/11/07
Specific patch...  jasonp@... | 07/12/07
You can't take ye seriously on anything .  Non_Zealot | 07/11/07
If it don't  Ole Man | 07/12/07
"I too thank MS!"  Ole Man | 07/12/07
Update for .net 2.0 won't install  ces1948@... | 07/11/07
Update for .net 1.1 won't install  Jacdeb6009@... | 07/11/07
I am having the same problem...  djs1235@... | 07/11/07
.Net install.  terryleah008@... | 07/11/07
Found it!!  djs1235@... | 07/11/07
Same here  ehdrerup@... | 07/11/07
I don't know what to tell you .  I'm Ye, the MS SHILL . | 07/11/07
Install / Update FIX  e-biz@... | 07/12/07
delete  jj183@... | 07/13/07
MS updates 7/10/07  REt49@... | 07/11/07
Yay!  fuzzy2k | 07/11/07
Is anyone else getting a failed to install?  djs1235@... | 07/11/07
Yes  rdeastham | 07/11/07
Ditto  john_galt@... | 07/11/07
Me too plus KB928365  TerryNT | 07/11/07
Failed install fix  e-biz@... | 07/12/07
Genuine Advantage forced for the first time when updating today  blimey | 07/11/07
Well Welcome to WGA !  jackie40d@... | 07/11/07
You'll just have to work that much harder to stay ahead in zelotry...  jjarman | 07/11/07
That reply was meant for...  jjarman | 07/11/07
No one wants to be like Non-Zealot the zealot .  I'm Ye, the MS SHILL . | 07/11/07
Ad Hominem. If you want to be taken seriously...  ye | 07/11/07
What is up with you kiddo ?  Non_Zealot | 07/11/07
Where is your points?  Ole Man | 07/12/07
lawl...  evilkillerwhale@... | 07/11/07
How does it feel?  Ole Man | 07/12/07
install problems with .net framework 1.1 patch  golowenow | 07/11/07
updates for net  jj183@... | 07/13/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
Save time with automated shipping solutions
The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
Visit the UPS Business Essentials Guide
The best support in the Linux business
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
Learn more >>
The best support in the Linux business
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
Learn more >>
Reduce risk. Reduce complexity. Increase reliability.
A simplified IT environment isn't just less complex. It's also more reliable. Standardize on a single Linux platform with SUSE Linux Enterprise from Novell, and get the world's most interoperable Linux
Learn more >>
Keep Up With The Latest In Document Management with The DocuMentor.
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
Learn more >>
Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
Learn more about the free, six-month trial offer>>
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here